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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 


of access? 
xX Yes 
No 
Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


O Yes 
No 


X Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


It would be really good to have some more practical examples e.g. 
e Template wording for covering letters responding to SAR. 
e What we can ask of suppliers as often we need their help — this can be covered in our contract 
with them although at a price. Also DC to DC how to deal with SARs jointly 


Also guidance on timescales — it now seems that time runs from the date of receipt regardless 
of whether we ask for more information — is this the case if we don't have the right details ie the 
data subject gives us a different address or name or its an employee who has worked for us for 
30 years but is also a client/member/patient/dismissed employee 


Q3 Does the draft guidance contain enough examples? 


Yes 
X No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


The more examples the better as it really helps us to ensure compliance in practice e.g. 
See above comments. 

P25 - lots of useful information about how to deal with deleted information/emails we 
always struggle with this in practice given the amount of email traffic there is now a days. 
P56 - employee reference letter the position has been changed ie confidential works both 
ways. This is a big difference for us and in the past we have been required to hand over 
reference letters regardless of the potential harm to the referee. 

P62 - Interesting section about Health Data - perhaps you could have industry specific 
examples e.g. as an appendix. 


P66 - some info on Access to Medical Records although it states firmly that this is not 
something within the ICO remit. This is often however an area which can be confusing 
what we are required to do by the various relevant pieces of legislation so more examples 
would help. 

It would also be good to have advice on what to do with SARs which are a precursor or 
part of a complaint or disciplinary or redundancy process or other employee related issue 
- very separate process but guidance on what can be excluded in these circumstances. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Agreed we do struggle and previously took the view it could never be really relied upon - 
we have contacted the ICO about this in the past and this was effectively the guidance 
given even when the SAR request letter states that ‘if you settle then we will withdraw 
the SAR’. The advice from the ICO was that ‘SARs are purpose blind’. 


The ‘Manifestly Unfounded’ guidance in p35 seems to have changed the position and 
seem to suggest that if a complainant/claimant offered to withdraw if we settle (as stated 
above we have had this) we could then refuse. It would be good to know if this is really 
the case. 


We have had SARs which have taken weeks to complete with multiple people involved 


where the data held is complex and from multiple sources e.g. in multi service healthcare 
companies the data subject could be an employee, a patient, a gym member, have physio 
services etc... 


Also p39 seems to suggest that we can refuse disclosure more easily if third party 
information is included because of the rights of a third party e.g. balancing the effect of 
disclosure on that third party - this seems to be a shift from previous advice from the 
ICO. 


Again further clear examples would help. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O 


Q6 Why have you given this score? 


Any guidance is good and you have included a number of great examples although 1 do 
think there could be more e.g. even if its in an appendix and perhaps add some that are 
industry specific. 1 would happily come up with some scenarios that are common to 


healthcare companies. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O O O O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


I always find the guidance from the ICO very clear and helpful - this is complex law and 
guidance on how to apply it in practice is always helpful. It may be helpful to meet with 
representatives from some of the business sectors to understand better how the law 
works in practice. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

X An individual acting in a professional capacity 

O On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Nuffield Health 


What sector are you from: 


Health care including hospitals, gyms, physio, Occupational Health .... 


Q10 How did you find out about this survey? 


O 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


a 4-48 4. a) Be El I 


Thank you for taking the time to complete the survey. 


